Following enforcement cases and compliance with the Texas Data Broker Law, the Texas Data Privacy and Security Act, Texas Deceptive Trade Practices Act (DTPA), and applicable federal standards.
On June 4, 2024, Texas Attorney General Ken Paxton launched a Data Privacy and Security Initiative under the Consumer Protection Division of the Office of the Attorney General (OAG) that included hiring a new group of attorneys to enact this initiative. This initiative reflects the increasing concerns surrounding the misuse of personal data and misleading statements about how personal data is handled and seeks to ensure that companies comply with Texas’s expanding set of privacy laws and existing consumer protection laws. With a focus on protecting Texans from illegal exploitation of personal information—especially sensitive data like biometric information and details collected through artificial intelligence (AI)—the initiative aims to enforce compliance with the Texas Data Broker Law, the Texas Data Privacy and Security Act, Texas Deceptive Trade Practices Act (DTPA), and applicable federal standards.[1]
The Texas AG’s initiative is already in full force. Just two days after the announcement, the OAG opened an investigation into the data collection practices of major car manufacturers. This investigation, sparked by reports that car companies were collecting and selling customer data to third-party insurers without proper notice or consent, is part of a larger trend in targeting privacy violations.[2] Then, on June 18, the OAG notified 100 companies of their failure to comply with the Texas Data Broker Law, which requires companies that trade in personal data to register and adhere to state privacy requirements.[3] These swift and broad actions signal an aggressive enforcement posture from the Texas AG’s office, making it clear that privacy protections will be a priority for individuals and businesses alike.
While privacy investigations often take time to develop, Texas has moved at a rapid pace. In August 2024, based on its June investigation, the AG’s office filed a lawsuit against General Motors (GM). The lawsuit alleges that GM unlawfully collected driving data from over 1.5 million Texans and sold this data to third-party insurers.[4] The core issue in the GM case is not just the collection of data but how this information was harvested—through vehicle technology—and how customers were misled during the onboarding process. According to the OAG, GM failed to disclose its data collection practices clearly, thus violating consumer protection laws.
Most recently, the Texas AG reached a landmark settlement with Pieces Technologies, a healthcare AI company. The settlement resolved claims that Pieces Technologies had misled hospitals about the accuracy and safety of its AI products, which were used to analyze patient data in real time.[5] The settlement mandates that Pieces must correct its disclosures on product accuracy and ensure that healthcare providers are properly trained on the limitations of AI in patient care. While privacy and data collection were at the heart of the investigation, the underlying legal action was brought under the DTPA.
This use of the DTPA is a noteworthy aspect of Texas’s evolving privacy enforcement strategy. Although the GM and Pieces cases center on data collection issues, neither was pursued based on violations of privacy-specific laws. Instead, the Texas AG used the DTPA, which prohibits deceptive advertising and misleading business practices. By leveraging the DTPA, the AG can take action against companies that mislead customers about their data practices even if no direct violations of the Texas Data Broker Law, the Texas Data Privacy and Security Act, or federal privacy regulations exist. This broader enforcement approach creates additional risks for businesses across industries that may have unclear or misleading data policies.
For businesses, the key takeaway is simple: transparency is critical. Companies must review their privacy policies and marketing materials to ensure that they accurately represent their data collection, use, and sharing practices. Additionally, as new technologies like AI-driven tools, chatbots, and other data-gathering features are integrated into products or services, privacy policies must be updated to reflect these changes accurately.
To mitigate the risk of enforcement actions, businesses should prioritize regular reviews of their privacy policies and ensure that their advertising materials provide clear, accurate representations of how customer data is handled. If your company needs help ensuring compliance with Texas privacy laws and avoiding potential legal pitfalls, contact us today for a thorough assessment.